Stephenbradshaw

**Name of the Vulnerable Software and Affected Versions** NodeBB versions prior to 2.6.1 **Description** The issue arises from a plain object with a prototype being used in socket.io message handling, allowing a specially crafted payload to impersonate other users and takeover accounts. **Recommendations** For versions prior to 2.6.1, upgrade to version 2.6.1 to patch the exploit. As a temporary workaround for users unable to upgrade, cherry-pick commit `48d143921753914da45926cca6370a92ed0c46b8` into their codebase to patch the exploit.